If you are having problems posting in the relevant areas for your software, please see this topic.

Telephone Sales and Support Status

Due to the Memorial Day Holiday in the United States, our telephone services will be closed on Monday May 27th, 2019. This includes both the Sales and Support lines. Service will resume again during normal business hours on Tuesday May 28th, 2019.

4.02 Hacked. Fixed but need to find the hole

Our site was hacked last night and was redirecting to another site.
I was able to restore it by going in through FTP and deleting a few files that were put into the main directory.

c99.txt, c99.txt.1, 99.php, and 1 other before I copied it so I don't remember what that was called. It was still redirecting the site so I checked the .htaccess file which didn't show a last modified date of yesterday so I didn't suspect it. Well, they wrote on the .htaccess file and was redirecting the site.

So I uploaded a clean version and it's all working now.

My question, no one had access to FTP so I don't believe they got access through that. Is there a way that hackers are getting in through vbulletin? What should I be checking. Thanks in advance.

Comment

Firstly, you urgently need to upgrade to 4.2. Appreciate you'll need to upgrade the license but it'll be money well spent.

There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

Close the hole...
This has three subparts in this instance.
1. Delete your install folder
2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

Fill the Hole...
There are seven subparts in this instance.
1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
2. Delete any Suspect Files.
3. Replace any files marked as "Does not contain expected contents"
4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
6. Update your Addon Products.
7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

Secure the Hole
Parts of this were done by closing the hole but there are still things to do here.
1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
3. Create a lower permission Administrator for every day use.
4. Review your permissions in the system.
5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
6. Move your attachments outside the forum root directory.
7. Create a complete backup of your site. Make database backups weekly.

Vigilance
You need to keep active on the security of the site.
1. Give out the fewest permissions necessary for anyone to do their job
2. Make sure your hosting provider updates the software.
3. Update to the latest vBulletin when it is released.
4. Make sure your addons are always up to date.

Comment

We had the exact same issue. After upgrading to 4.2.2 all but the main folder issue went away. Tonight while I was on, the little weasel got in and changed the index.php file. I downloaded and backed everything up yesterday, so I simply over wrote it. He had also put a stich directory in. I also deleted that. I have asked yahoo for help, but they don't have a clue.

We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also consent to the transfer of your data to our servers in the United States, where data protection laws may be different from those in your country.